search

hackforla / website

Hack for LA's website
https://www.hackforla.org
GNU General Public License v2.0
323 stars 772 forks source link

Create GHA to create issues when new CodeQL alerts are detected #5059

Closed roslynwythe closed 6 months ago

roslynwythe commented 1 year ago

Overview

Create a new GitHub action workflow to create GitHub issues when new CodeQL alerts are detected so that we may respond in a prompt manner and ensure the security and quality of our codebase

Details

Action Items

Resources/Instructions

Issue Template

### Prerequisite
1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).

### Overview
We need to resolve the new `[ALERT #]` and either recommend dismissal of the alert or update the code files to resolve the alert.    

### Action Items
- [ ] The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert. 
- [ ] https://github.com/hackforla/website/security/code-scanning/`[ALERT #]`
- [ ] In a comment in this issue, add your analysis and recommendations.  The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`.  An example of a `false positive` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`  
- [ ] If the recommendation is to dismiss the alert, apply the label `ready for dev lead` then move the issue to `Questions/In Review`
- [ ] If the recommendation is to update code:
   - [ ] create an issue branch and proceed with the code update
   - [ ] test using docker to ensure that there are no changes to any affected webpage(s)
   - [ ] proceed with pull request in the usual manner 

### Resources/Instructions
[^1]: [HfLA website: CodeQL scan alert audits - issue 5005](https://docs.google.com/spreadsheets/d/1B3R-fI8OW0LcYuwZICQZ2fB8sjlE3VsfyGIXoReNBIs/edit#gid=193401043)
[^2]:[Code scanning results page](https://github.com/hackforla/website/security/code-scanning)
[^3]: [CodeQL query help for JavaScript](https://codeql.github.com/codeql-query-help/javascript/)

- This issue was automatically generated from the codeql.yml workflow

[^1]:code scanning results page [^2]:[code scanning - in the GitHub REST API [^3]:Storing workflow data as artifacts [^4]:[template for issue to manage new alerts]

github-actions[bot] commented 1 year ago

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing: Complexity, Role, Feature

NOTE: Please ignore the adding proper labels comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

ExperimentsInHonesty commented 8 months ago

@roslynwythe in the Action Items it says download the artifact. Since this is a script, is it actually downloading the artifact, and if so where does it download it to?

ExperimentsInHonesty commented 8 months ago

Reword issue. a file would be created (log file), and new data would be added to it.

github-actions[bot] commented 8 months ago

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

roslynwythe commented 8 months ago

@ExperimentsInHonesty I changed the suggested strategy in this issue, so that every open CodeQL alert is examined and new tracking issues are created for those CodeQL alerts that do not have tracking issues.

github-actions[bot] commented 7 months ago

Hi @gaylem, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

gaylem commented 7 months ago

Availability: M-Th 11AM-6pm CT, Weekends 12pm - 4pm ETA: Monday, March 25th 10pm CT

gaylem commented 7 months ago

The changes I made to codeql.yml are passing successfully, but I also don't think I'm testing properly:

Here's what I've done so far:

  1. Created my own project board (but I don't think that helps in this case).
  2. Replaced gh-pages with * in the branches section at the top of the yml file.
  3. Replaced GITHUB_TOKEN with my own H4LA_TOKEN which is also stored on my repo in my secrets.
  4. Enabled Issues in my repo.
  5. Enabled Code Scanning in my Security tab. I'm seeing 38 active issues there.
  6. Pushed the changes to my own private repo, where the GHA completed successfully.

Here are the problems:

1. I'm not seeing any issues created in my Issues tab. My best guess is that the CodeQL security alerts only register for changes made to the gh-pages branch, which is why they aren't being detected. I'm nervous about messing with the gh-pages branch locally, so I'm hoping there's another approach. 2. I'm not seeing any of my echo statements print in my GHA logs. This could just be because my code is wrong. I was able to log echo statements before the Workflow completed successfully, so I'm not sure what changed.

Any advice would be greatly appreciated!

Here is the entire updated file. My changes are at the bottom under Check for CodeQL Alerts:

# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
  push:
    branches: [ "*" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "*" ]
  schedule:
    - cron: '30 5 * * 5'

jobs:
  analyze:
    name: Analyze
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: [ 'javascript' ]
        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
        # Use only 'java' to analyze code written in Java, Kotlin or both
        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
        queries: security-and-quality
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.

        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
        # queries: security-extended,security-and-quality

    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
      uses: github/codeql-action/autobuild@v3

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

    #   If the Autobuild fails above, remove it and uncomment the following three lines.
    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

    # - run: |
    #     echo "Run, Build Application using script"
    #     ./location_of_script_within_repo/buildscript.sh

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"

    - name: Check for CodeQL alerts
      run: |
        # Get a list of open CodeQL alerts
        alerts=$(curl -s -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -X GET "https://api.github.com/repos/${{ github.repository }}/code-scanning/alerts?state=active")

        # Check if there are any alerts
        if [[ -n $alerts ]]; then

          # Define the _jq function outside the loop to extract values from alerts JSON 
          _jq() {
            echo "$1" | jq -r "${2}"
          }

          # Loop through each alert
          while IFS= read -r alert; do

            # Extract necessary info from the alert
            alertId=$(echo "$alert" | jq -r '.number')
            locationPath=$(echo "$alert" | jq -r '.html_url')

            echo "alertId: $alertId"
            echo "locationPath: $locationPath"

            # Check if there is an existing tracking issue for the alert
            trackingIssue=$(curl -s -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -X GET "https://api.github.com/search/issues?q=repo:${{ github.repository }}+codeql-alert-id:${alertId}+state:open")

            echo "trackingIssue: $trackingIssue"

            # If no tracking issue exists, create a new one
            if [[ -z $trackingIssue ]]; then
              issueTitle="Resolve CodeQL query ${alertId} - generated by GHA"
              issueBody="{\"title\":\"$issueTitle\",\"body\":\"### Prerequisite\n1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).\n2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).\n\n### Overview\nWe need to resolve the new \`[ALERT ${alertId}]\` and either recommend dismissal of the alert or update the code files to resolve the alert.\n\n### Action Items\n- [ ] The following action item serves to \"link\" this issue as the \"tracking issue\" for the CodeQL alert and to provide more details regarding the alert.\n- [ ] ${locationPath}\n- [ ] In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: \`dismiss as test\`, \`dismiss as false positive\`, \`dismiss as won't fix\`, or \`update code\`. An example of a \`false positive\` is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as \`---\` or \`{%\`\n- [ ] If the recommendation is to dismiss the alert, apply the label \`ready for dev lead\` then move the issue to \`Questions/In Review\`\n- [ ] If the recommendation is to update code:\n  - [ ] create an issue branch and proceed with the code update\n  - [ ] test using docker to ensure that there are no changes to any\"}"

              echo "issueBody: $issueBody"

              # Create a new issue
              response=$(curl -X POST -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -d "{\"title\":\"$issueTitle\",\"body\":\"$issueBody\"}" "https://api.github.com/repos/${{ github.repository }}/issues")

              echo "response: $response"

              # Extract the issueNumber from the response
              issueNumber=$(echo $response | jq -r '.number')

              echo "issueNumber: $issueNumber"

              # Add the "ready for dev lead" label to the new issue
              curl -X POST -H "Authorization: token ${{ secrets.H4LA_TOKEN }}" -d "{\"labels\":[\"ready for dev lead\"]}" "https://api.github.com/repos/${{ github.repository }}/issues/${issueNumber}}/labels"
            fi
          done
        fi
t-will-gillis commented 7 months ago

Hey @gaylem I took a look at the code you posted and tried to get it to run in my repo.

Hope at least that helps a little...

roslynwythe commented 7 months ago

@gaylem Unfortunately I'm also not familiar with curl in this context. If I understand correctly, you are not able to verify that curl is retrieving the list of alerts, so you might try the GitHub REST API, using the link sent by @t-will-gillis. The documentation mentioned that the token should have the security_events or the public_repo scope.

gaylem commented 7 months ago

Thank you so much @t-will-gillis and @roslynwythe!! I'll dig into your advice today and let you know how it goes.

ExperimentsInHonesty commented 7 months ago

@gaylem Im moving this issue back to in progress. If you need additional help, please add your comment and move it back to question column and add the ready for dev lead label.

gaylem commented 7 months ago

Progress: This issue is basically done, but I have a blocker related to my github-token on one of the codeql.yml steps I added. It doesn't appear to have sufficient permissions. Blockers: See details in this comment. Availability: Weekdays ETA: Uncertain, but hopefully by Wednesday 4/10/2024